Creating A Lubuntu Virtual Machine For Computer Forensics Teaching

[ This is a reposting of my teaching blog post previously hosted on http://users.ox.ac.uk/~coml0454.
NOTE: I no longer teach at University of Oxford and this is a description of how I used to teach the course.]

Summary

This post describes how to create a Lubuntu-based virtual machine (VM) to be used when teaching of computer forensic analysis and investigation. The post discusses the background to the use of the VM, how the VM is created in VMware Fusion, and how Sleuthkit and other Linux-based utilities are installed. The post finishes with some suggestions on how the VM issued in class can be configured for the classroom teaching computers. This post assumes the reader is familiar with Linux and a virtualization application such as VMware. [While the applications and utilities used are appropriate for a computer forensics investigation, the use of a VM is most probably not an appropriate approach for setting up a production system to undertake computer forensic analysis and investigation because of the overhead the VM adds.]

Background

The FOR module on the Software and Systems Security programme includes a number of classroom exercises associated with the extraction and analysis of computer system artifacts. The assignments may also involve the extraction and analysis of computer system artifacts. To encourgage understanding of the extraction and analysis process the exercises use Linux and Sleuthkit utilities which are run from the command line. To allow the transfer of understanding and skills from the classroom exercises to the assignment, the students use a Linux-based VM for the classroom exercises and receive a copy of that VM for use when undertaking the assignment.

Linux and Sleuthkit have been choosen as there are no licensing issues associated with their distribution. Ubuntu distributions have been used for previous VMs used during the FOR module. The VM needs to be kept reasonbly up to date while at the same time keeping the size of the virtual machine reasonably small as well. Using the latest main Ubuntu distributions has resulted in the size of the virtual machine increasing. As a consequence this year I have choosen the Lubuntu 12.04 distribution to build the “Investigator” virtual machine. Lubuntu is a light(er) weight Ubuntu distribution.

VM Creation

In this instance, the Investigator VM is created in VMware Fusion 5 using Lubuntu 12.10. The lubuntu-12.10-desktop-i386.iso can be downloaded from Ubuntu here.

[Note: As of July 18, 2013, the Vmware Fusion 5 VMware Tools do not install correctly on the latest version of Lubuntu 13.10. There are changes in where the distribution saves the Linux header source files, so that the tools do not build correctly.]

The VM is created using the standard VMware Fusion method and configured with the following settings:

Memory = 1GB

Hard Disk = 20GB in 2GB blocks

Network adapater host = NAT

Compatibility = VMware 3

Once the VM is ready to go, start the VM. (I ignore the request to upgrade as I want the VM to be able to run on earlier versions of the VMware applications.)
The VM will open at the Lubuntu live desktop. Launch the Lubuntu CD Installer shown on virtual machine’s Desktop.
The Lubuntu installation is configured with the following parameters:

TZ = Washington DC

Keyboard = US

Hostname = investigator

VM name = Investigator

Username = Forensic Investigator (forensic)

Password = oucl2013

Login = automatic

Once the Lubuntu installation is complete restart the VM. At this point I disable automatic updates so as not to have updates break any of the tools that are built as part of this setup.

Now open LXTerminal (Terminal) and add it to the Desktop and Panel.

Install Updates

Open LXTerminal and using the command line, install the lastest Lubuntu distribution updates before we build the tools.

Install Build Essential Tools & Headers

Edit .bashrc

I like to have a colour prompt in the terminal so I edit .bashrc and enable the colour prompt.

nano .bashrc

Remove the # so this line now reads as:

force_color_prompt=yes

Edit the colours and prompt layout as you please. This is my prefered prompt - green user and host name, blue working directory and prompt on a new line so you have the maximum space to type a command before the line wraps around:

Once .bashrc is edited the changes can be implimented immediately by issueing the following command in the terminal:

source .bashrc

Install VMware Tools

Use the VMware Fusion menu VMware Fusion > Virtual Machine > Install VMware Tools to create the VMware Tools CD and make it appear as a Removable Disk.
Open the Removable Disk and copy the VMware Tools compressed file to /tmp folder. Then eject the CD. In the terminal, change directory to /tmp, uncompress the file, run the VMware Tools installation script and set up network module.

Install Sleuthkit

Install Autopsy v2

Download Autopsy from http://www.sleuthkit.org/autopsy/v2/download.php. In this instance I create a folder evidence_locker in the guest filesystem for Autopsy to use. As this is a virtual machine a more practical approach would be to share a folder in the host filesystem that Autopsy could use.

Add SQLite Manager To Firefox

SQLite Manager is a useful extension to Firefox for looking at SQLite databases, such as those used to store the browser history on later versions of Firefox. To install SQLite Manager, launch Firefox and add SQLite Manager via Firefox’s Add-ons Manager. SQLite Manager will appear in the Tools Menu after restarting Firefox.

And To Clean Up

Clean .bash_history

To Configure The VM For Your Use

Set The Keyboard Type

Launch the Lxkeymap application in the Preferences menu to set the keyboard type.

Set Display Size

The default VM has a display size of 800 x 600 pixels. Launch the Monitor Settings application in the Preferences menu to set the display size.

Set The Timezone

Launch the Date and Time application in the System Tools menu to set the timezone. Remember to Unlock the panel in order to make the changes.

Set The Directory Sharing Between The Guest and The Host

When the VM is opened in VMware Fusion, open the Settings panel and select the Sharing tab. Click the + button and select the host folder you want to share with the VM. The folder will appear in the VM guest filesystem under the path /mnt/hgfs/{name}, e.g. /mnt/hgfs/Workspace, for the example shown. You can rename the guest folder in the VM by clicking on the name in the Shared Folders panel.